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[DOCUMENT NAME] SPECIFICATION 

[TITLE OF THE INVENTION] NETWORK AND EDGE ROUTER 
[ CLAIMS ] 

1 . A network for forming a VPN on a shared network and 
communicating via the VPN, comprising: 

a core network of the VPN formed by a label switching 
network; 

access networks formed by VLANs to access said core 
network; and 

interface devices provided at edges of the label 
switching network for interfacing said label switching network 
and the VLANs. 

2 • The network according to claim 1 , wherein said interface 
devices are edge routers provided at edges of an MPLS network 
serving as said label switching network, said edge routers 
including: 

a transmit-side edge router for converting a 
packet, which is sent from a VLAN, to an MPLS packet and 
transmitting the packet to the MPLS network; and 

a receive-side edge router for converting the 
MPLS packet, which has been received from the MPLS network, to 
a VLAN packet and directing the VLAN packet to a VLAN that belongs 
to the same VPN as that of a VLAN on the transmit side, 
3. The network according to claim 1, wherein each of said 

edge routers has a first table storing correspondence 
between VLAN identifiers (VIDs) contained in VLAN packets and 
VPN labels contained in MPLS packets; 
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said transmit-side edge router finds a VPN label, which 
corresponds to a VLAN identifier (VID) of a VLAN packet, from 
said first table, generates an MPLS packet having this VPN label 
and sends this MPLS packet to the MPLS network; and 

said receive-side edge router finds a VID, which 
corresponds to a VPN label contained in an MPLS packet received 
from the MPLS network, from said first table, generates a VLAN 
packet having this VID and sends this VLAN packet to a VLAN 
indicated by this VID. 

4. The network according to claim 3 , wherein each of said edge 
routers includes: 

a route decision unit for deciding a route which directs 
an MPLS packet to a receive-side edge router; and 

a second table for storing forwarding labels, which 
specify routes decided by said route decision unit, mapped to 
addresses of receive-side edge routers; 

said transmit-side edge router finds a receive-side edge 
router corresponding to a destination of a packet, finds a 
forwarding label, which corresponds to the receive-side edge 
router, from said second table, generates an MPLS packet that 
contains the VPN label and the forwarding label and sends this 
MPLS packet to the MPLS network. 

5 . The network according to claim 4 , wherein an edge router 
which constructs the VPN and is connected to a VLAN sends another 
edge router an address set composed of an address of a 
VLAN-compatible device connected to the first-mentioned edge 
router and the address of this edge router, and each edge router 
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creates Layer 2 routing table based upon the received 
information; and 

said transmit- side edge router finds a receive-side edge 
router, which corresponds to the destination of the packet , from 
said Layer 2 routing table. 

6. An edge router in a network for forming a VPN on a shared 
network, forming a core network of the VPN by an MPLS network 
and forming an access network, which is for accessing the core 
network, by a VLAN, wherein a transmit-side edge router 
comprises : 

means for storing a corresponding relationship between 
VLAN identifiers (VIDs) and VPN labels serving as VPN 
identifiers; and 

an MPLS packet generating unit for finding a VPN label 
corresponding to a VID, which is contained in a packet sent from 
the VLAN, using the corresponding relationship, generating an 
MPLS packet that includes this VPN label and sending this MPLS 
packet to the MPLS network. 

7. The edge router according to claim 6, further comprising: 

a route decision unit for deciding a route which directs 
an MPLS packet to a receiver-side edge router; and 

a forwarding label storage unit for storing forwarding 
labels , which specify routes decided by said route decision unit , 
mapped to addresses of receive-side edge routers; 

wherein said MPLS packet generating unit finds a 
receive-side edge router corresponding to a destination of a 
packet, finds a forwarding label, which corresponds to the 
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receive-side edge router, from said forwarding label storage 
unit, and generates an MPLS packet that contains the VPN label 
and the forwarding label. 

8. The edge router according to claim 7, wherein said MPLS 
packet generating unit receives from edge routers which are 
connected to other VLANs constituting said VPN , information 
comprising a combination of addresses of these edge routers and 
addresses of VLAN-compatible devices connected to these edge 
routers, creates layer 2 routing table based upon said received 
information and finds said receive-side edge router, which 
corresponds to the destination of the packet, from said layer 
2 routing table. 

9. An edge router in a network for forming a VPN on a shared 
network, forming a core network of the VPN by an MPLS network 
and forming an access network, which is for accessing the core 
network, by a VLAN, wherein a receive-side edge router 
comprises : 

a table for storing correspondence between VLAN 
identifiers (VIDs) and VPN labels serving as VPN identifiers; 
and 

a VLAN packet generating unit for finding a VID 
corresponding to a VPN label, which is contained in a packet 
that enters from the MPLS network, using said table, generating 
a VLAN packet that includes this VID, and sending this VLAN 
packet to a VLAN. 

10. An edge router in a network for forming a VPN on a shared 
network, forming a core network of the VPN by an MPLS network 
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and forming an access network, which is for accessing the core 
network, by a VLAN, comprising: 

a table for storing correspondence between VLAN 
identifiers (VIDs) and VPN labels serving as VPN identifiers; 

an MPLS packet generating unit for finding a VPN label 
corresponding to a VID, which is contained in a packet that 
enters from the VLAN, using said table, generating an MPLS 
packet that includes this VPN label and sending this MPLS packet 
to the MPLS network; and 

a VLAN packet generating unit for finding a VID 
corresponding to a VPN label, which is contained in a packet 
that enters from the MPLS network, using said table, generating 
a VLAN packet that includes this VID, and sending this VLAN 
packet to a VLAN, 

[DETAILED DESCRIPTION OF THE INVENTION] 
[0001] 

[FIELD OF THE INVENTION] 

This invention relates to a network and to an edge router. 
More particularly, the invention relates to a network for 
forming a VPN (Virtual Private Network) on a shared network and 
communicating over the VPN, and to an edge router in a network 
for forming a VPN on a shared network, forming a core network 
of the VPN by a label switching network and forming an access 
network, which is for accessing the core network, by a VLAN 
(Virtual LAN) . 
[0002] 
[PRIOR ART] 
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In order to construct a network (an intranet) within an 
enterprise, it is necessary to interconnect the home of fice, 
business offices, branches, factories and research labs, etc., 
scattered over a number of areas. With the age of 
internationalization upon us, there is a need for intranets that 
are connected widely to business sites overseas without being 
closed solely within one 1 s own country. When an intranet is 
thus spread over a wide area, it becomes necessary to implement 
the same system environment at both the home and remote offices . 
VPNs (Virtual Private Networks) have been developed and adopted 
widely for this purpose. A VPN is a virtual private network 
that can be set up on a shared network (a wide-area network such 
as the Internet) and can be utilized without the user being aware 
of the fact that the shared network is being utilized. A VPN 
is constructed on a wide-area network (WAN) utilizing an access 
server, a WAN router and a VPN-dedicated devices. Techniques 
for constructing a VPN include a method using a VLAN (Virtual 
LAN) in accordance with IEEE 802. 1Q, a method based upon IPsec 
and a method using MPLS (Multiprotocol Label Switching), etc. 
[0003] 

VLANs form network-connected devices into groups without 
relation to their physical wiring and constructions, and each 
group is formed within an area that is reached by Layer-2 MAC 
frames . The sending and receiving of frames is performed within 
the same group and the broadcasting of frames also takes place 
within the same group. Communication with a different VLAN 
group general requires the intermediary of a router having a 
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relay function in Layer 3. 

Schemes for implementing a VLAN include (1) port-based 
VLAN, (2) MAC-address database VLAN and (3) policy-based VLAN. 
Among these , port-based VLAN is a scheme for forming a VLAN group 
statically on a switching hub on a per-physical-port basis, 
MAC-address database VLAN is a scheme which forms a VLAN group 
based upon MAC addresses possessed by terminals . The pertinent 
VLAN group is recognized based upon the MAC address of the 
originating source contained in a received packet. 
[0004] 

Fig. 18 shows an example of the structure of 
port-based VLAN according to the prior art . Here terminals such 
as personal computers are connected to respective ones of a 
plurality of LAN ports Pi to P6 of a switching hub SHB. The 
LAN ports PI to P3 belong to group 1 and the LAN ports P3 to 
P6 belong to group 2 . Broadcast frames transmitted from 
terminals in group 1 are broadcast only to terminals in group 
1, and broadcast frames transmitted from terminals in group 2 
are broadcast only to terminals in group 2. The sending and 
receiving of frames is performed only within the same group, 
and communication between the different groups 1, 2 requires 
the intervention of a router, not shown. Prior to grouping, 
broadcast frames needed to be relayed to all terminals. By 
grouping, however, broadcast frames now need only be relayed 
within the group. This makes it possible to alleviate the load 
on the network. Moreover, since a frame is not transmitted from 
one group to another, security can be maintained. 
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[0005] 

A VLAN can be designed in such a manner that a LAN port 
is placed in multiple groups , as is the case with LAN port P3 
in Fig. 19. Further, grouping is not limited to a single 
switching hub. As shown in Fig. 19, it is possible to group 
ports belonging to a plurality of switching hubs SHBl to SHB3. 
More specifically, ports Pi to P3 of each of the switching hubs 
SHBl to SHB3 are grouped, a VLAN ID (VID: Virtual LAN 
Identifier) specific to each group is assigned to each group, 
and a tagging scheme described below is adopted to construct 
a plurality of VLANs (VLAN1 to VLAN 3) that bridge a plurality 
of devices. As a result of this arrangement, terminals 
belonging to the same VLAN can communicate with one another, 
regardless of where they are installed, just as if they were 
connected to the same physical network. 
[0006] 

The tagging scheme mentioned above is a technique 
standardized by IEEE 8 02 . 1Q. In accordance with tagging, a VID 
is assigned to a MAC frame in the manner of a tag. The tag is 
carried with the MAC frame along with the packet. An L2 switch 
(switching hub) that has received a tagged MAC frame analyzes 
the content of the tag and relays the frame to the appropriate 
port belonging to the VLAN. 
[0007] 

Fig. 20 illustrates the format of a MAC frame in a VLAN 
(compliant with IEEE 802. 1Q) according to the prior art. Here 
Ml represents a MAC destination address (MAC DA) ; M2 a MAC source 
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address (MAC SA) ; M3 a tag; M4 type; and M5 an IP packet (composed 
of an IP header, TCP header and data field) . The tag M3 consists 
of four bytes and has (1) a TPID (Tag Protocol Identifier), (2) 
user priority, (3) a CFI (Canonical Format Indicator), (4) a 
VID (Virtual LAN Identifier) , (5) length and (6) an RIF (Routing 
Information Field) . The value of TPID, which is a hexadecimal 
number, is fixed at 81-00 ( IEEE 802 . 1Q tag type ) . User priority 
expresses the order of priority of the frame using three bits. 
The CFI indicates the absence or presence of an RIF in the tag 
header. The VID is a 12-bit virtual-LAN identifier; a total 
of 20 12 = 4096 VIDs can be specified. 
[0008] 

Fig. 21 illustrates an example of VLAN implementation 
according to the prior art. Shown in Fig. 21 are a first 
switching hub SHBl in which personal computer terminals PCI, 
PC2 are connected to ports PI, P2 , respectively; a second 
switching hub SHB2 in which personal computer terminals PC3, 
PC4 are connected to ports PI, P2, respectively; a third 
switching hub SHB3 in which the first and second switching hubs 
SHBl, SHB2 are connected to ports Pi, P2, respectively; and a 
router RT connected to port P3 of the third switching hub SHB3 . 
The first and second switching hubs SHBl, SHB2 are connected 
to the third switching hub SHB3 via their respective ports P3 . 
[0009] 

The first and third personal computer terminals PCI, PC3 
construct a first VLAN (VID = 10) , the second and fourth personal 
computer terminals PC2 , PC4 construct a second VLAN (VID = 20) , 
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and the ports Pi to P3 of each of the first switching hubs SHB1 
to SHB3 are grouped as indicated by the VID values in Fig. 21. 
The ports having two VID values each belong to two groups. In 
an instance where the personal computer terminal PCI transmits 
a packet to the personal computer terminal PC3, the personal 
computer terminal PCI transmits a packet having the MAC address 
of the personal computer terminal PC3 placed in its header as 
the destination address. Upon receiving this packet at port 
Pi, the first switching hub SHB1 finds the VID (= 10) of the 
VLAN to which the port Pi belongs from a predetermined table , 
assigns a tag inclusive of VD=10 to the received packet and 
transmits the packet from port P3 of VID=10. The tagged packet 
is then transmitted to the second switching hub SHB2 via the 
ports PI , P2 of third switching hub SHB3 . When the tagged packet 
arrives at the second switching hub SHB2 , the latter removes 
the tag and transmits the packet to the personal computer 
terminal PC3 from port Pi (VID=10). 
[0010] 

On the other hand, if the personal computer terminal PCI 
transmits a packet to the personal computer terminal PC4 in the 
other group, the personal computer terminal PCI transmits a 
packet having the MAC address (Layer-2 address) of the router 
RT placed in its Layer-2 header as the destination address and 
having a Layer-3 address (IP address) of the personal computer 
terminal PC4 placed in its Layer-3 header (IP header). Upon 
receiving this packet at port PI, the first switching hub SHBl 
finds the VID (= 10) of the VLAN to which the port PI belongs 
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from the table, assigns a tag inclusive of VD=10 to the received 
packet and transmits the packet from port P3 of VID=10. The 
third switching hub SHB3 transmits the received packet as is 
from its port P3 of VID=10. Upon receiving the packet, the 
router RT changes the VID value from 10 to 2 0 and changes the 
destination MAC address of the packet to the MAC address of the 
personal computer terminal PC4 by referring to the Layer- 3 
address of the destination and then transmits the packet from 
its port Pi . The tagged packet is then transmitted to the second 
switching hub SHB2 via the ports P3, P2 of the third switching 
hub SHB3 . 

In accordance with the above-described VLAN, the 
foundation for next-generation LANs can be constructed flexibly 
while preserving the existing assets of an enterprise 
information system (intranet), and it is possible to achieve 
streamlining by integrating network administration and 
operation. 
[0011] 

A method based upon MPLS (Multiprotocol Label Switching) 
is available as a method of constructing a VPN. MPLS is a 
protocol that introduces the concept of a path (a virtual 
communication path) into an IP network where the concept of a 
connection does not exist. The MPLS network adds a new field 
"label", which is for identifying the connection, onto an IP 
packet, and the network router transmits the IP packet upon 
popping, pushing or swapping the label value of the "label" 
field. In accordance with MPLS, an IP connection-type service 
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can be provided. Moreover, security can be assured on a 
per-connection basis and an IP private-line service, which 
serves as a substitute for a private line, can be provided 
efficiently by an IP network- This is a method having a very 
high degree of scalability. Further, a method of constructing 
a VPN using MPLS has been disclosed as RFC 254 7 BGP / MPLS VPNs. 
An IP VPN can be constructed on the Internet by this RFC method. 
[0012] 

MPLS is situated intermediate Layer 2 and the IP layer. 
An ordinary router executes forwarding processing by referring 
to the IP header of an IP packet. However, a router which 
supports MPLS executes forwarding based upon the label provided 
between the IP header and L2 header without referring to the 
IP header. 

Fig. 2 3 is a diagram useful in describing MPLS. Routers 
for MPLS are indicated at numerals 1 to 5 . MPLS routers 1 and 
5 constitute edge routers for making a connection to the outside 
of the MPLS network, and MPLS routers 2 to 4 constitute core 
routers within the MPLS network. A terminal device on the 
transmitting side is connected to the edge router 1 via a LAN 
or the like, and a terminal device at the destination having 
an IP address 10.1.100.0/24 is connected to the edge router 5 
via a router and a LAN. If the two terminal devices are to 
communicate, an LSP (Label Switched Path) is set up between the 
edge routers 1, 5, to which the terminals are connected, in 
accordance with an LDP (Label Distribution Protocol) and 
through use of a label, and label tables la to 4a are formed 
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in the MPLS routers 1 to 4, respectively, that form this LSP. 
[0013] 

If a MAC frame containing an IP packet enters from a 
terminal device on the transmitting side under these conditions , 
the edge router 1 refers to the table , attaches a shim header 
(described later) , which is the MPLS header, to the MAC frame, 
attaches (pushes) "39" , which serves as the label, to the label 
field of the shim header, and then directs the frame to the next 
MPLS router 2. The latter refers to the table 2a, swaps label 
"37" for label "39" and then directs the frame to the next MPLS 
router 3, The latter refers to the table 3a, swaps label "36" 
for label "37" and then directs the frame to the next MPLS router 
4. The latter refers to the table 4a, finds a label "pop" that 
conforms to the label "36", nulls (pops) this label and then 
directs the frame to the next router 5 . Upon receiving the frame 
having the null label, the edge router 5 removes the shim header 
of the MPLS from the MAC frame and directs the frame to the 
terminal device at the destination, 
[0014] 

An LSR (Label Switching Router), which is a router for 
MPLS, is arranged to decide a route upon referring to IP-layer 
route information, such as routing table information, and to 
affix a label to this route. In other words, an LSR generates 
a label path automatically, in accordance with the LDP (Label 
Distribution Protocol) , along a route decided by the IP routing 
protocol ( IS-IS , OSPF, etc . ) • 
[0015] 
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Fig. 23 is a diagram useful in describing the manner in 
which a label path is set up. The MPLS router (LSR) 5, which 
is the edge router on the side of the destination terminal device, 
finds the upstream router (LSP) 4 in the direction of the MPLS 
router (LSR) 1 on the transmitting side using a routing protocol 
such as OSPF (Open Shortest Path First), requests the MPLS 
router (LSP) 4 to null the label and to then transmit the frame, 
and sends the IP address (= 10.1.100.0/24) of the destination 
terminal device. 

As a result, the MPLS router (LSR) 4 finds the available 
label value (= 36) , finds the MPLS router (LSP) 3 in the direction 
of the MPLS router (LSR) 1 on the transmitting side using the 
routing protocol, requests the MPLS router (LSP) 3 to make the 
label "36" and to then transmit the frame, and sends the IP 
address (= 10 •1.100. 0/24) of the destination terminal device. 
The MPLS router (LSP) 4 creates the label table 4a. The latter 
includes (1) the local label (=36), (2) the outgoing label (= 
pop label), (3) a prefix (= 10.1.100.0/24), (4) an outgoing 
interface (= Ethernet 6) for interfacing the MPLS router (LSR) 
5, and (5) next hop [= the IP address of the MPLS router (LSR) 
5]. The MPLS router (LSR) 3 and the MPLS router (LSR) 2 
similarly create the label tables 3a, 2a, respectively, and the 
MPLS router (LSR) 1, which is the edge router, creates the label 
table la. 
[0016] 

If under these conditions a MAC frame having an IP packet 
the destination IP address of which is 10.1.100.0/24 enters the 
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edge router 1 from the terminal on the transmitting side, the 
MPLS header is assigned to the frame, the frame is transmitted 
over the MPLS network while the label value of the label field 
is pushed, swapped and popped, and the frame is transmitted to 
the destination terminal device upon having its MPLS header 
removed by the edge router 5a, as described above in conjunction 
with Fig. 22. 
[0017] 

Fig. 24 is a diagram useful in describing the structure 
of a shim header, which is the MPLS header, and the position 
at which the shim header is inserted into a Layer-2 frame (MAC 
frame). Characters Ml, M2 , M4 and M5 in Fig. 24 represent a 
MAC destination address (MAC DA) , a MAC source address (MAC SA) , 
type and IP packet (IP header, TCP header, data), respectively. 
A shim header M6 is inserted between the Layer-2 header and the 
IP header. The shim header M6 has a 20-bit label field, a 3-bit 
EXP field, a 1-bit S field and an 8-bit TTL field. 

With MPLS, shim headers can be stacked and such stacking 
makes it possible to construct a VPN. More specifically, as 
shown in (A) of Fig. 25, two shim headers M6, M7 are forwarded 
upon being stacked in one IP frame. As shown in (B) of Fig. 
25, the label ( Layer- 1 label) of the first shim header M6 is 
used for forwarding within the MPLS network, and the label 
(Layer-2 label) of the second shim header M7 is used to identify 
the VPN line connected to the edge routers 1 and 5. That is, 
the second label is used for VPN identification. The second 
label can also be used to identify the user line. 
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[0018] 

Fig. 2 6 is a diagram useful in describing MPLS /VPN for 
implementing an IP-VPN by stacking two labels in accordance with 
the prior art. Here it is assumed that the user of a VPN A 
communicates via the edge routers 1 and 5 . The edge routers 
1, 5 assign VPN-IDs (VPN identifiers) per individual user-line 
interfaces beforehand. In Fig. 26, the edge router 1 assigns 
a VPN-ID of 13 to a network address 192.168.0.X possessed by 
the VPN-A site, and the edge router 5 assigns a VPN- ID of 13 
to a network address 192.168.1.X possessed by the VPN-A site 
and assigns a VPN-ID of 14 to a network address ZZZ.ZZZ.Z.Z 
possessed by a VPN-V site. 

Next , in accordance with an iBGP ( interior Border Gateway 
Protocol) , the edge router 5 on the receiving side reports the 
label information to the edge router 1 on the transmitting side 
per combination of VPN-ID and network address. The iBGP is a 
protocol for exchanging route information and the like over a 
TCP connection. The routers situated at the edge of the MPLS 
network send and receive VPN information to and from each other 
without the intervention of a core router. In the illustrated 
example, the edge router 5 on the receiving side uses iBGP to 
notify the edge router 1 on the transmitting side that the label 
of "192. 168.1.X, VPN-ID = 13" is "3" and that the label of 
"ZZZ.ZZZ.Z.Z, VPN-ID = 14" is "4". On the basis of this 
information, the edge router 1 creates label tables la, lb on 
a per-VPN-ID basis. 
[0019] 
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In concurrence with the foregoing, each MPLS router sets 
up a label table for forwarding the packet within the MPLS 
network by the LDP (Label Distribution Protocol) , as described 
above in connection with Figs. 22 and 23. As a result, "5" is 
reported from the core router 2 to the edge router 1 as the label 
for MPLS forwarding of the destination 192.168.1.X, "5" is 
reported as the label for MPLS forwarding of the destination 
ZZZ.ZZZ.Z.Z and these are added to the label tables la, lb. 

If an IP packet enters from the user site (transmission 
source VPN-ID = 13) of VPN A under conditions in which the table 
la has been created as set forth above, the edge router 1 refers 
to the table la based upon the transmission source VPN =13 and 
destination address 192.168.1.X, finds the label (= 3) for VPN 
identification and the label (=5) for MPLS forwarding, attaches 
these two labels to the packet and transmits the packet to the 
core router 2. The latter refers to the label (=5) for MPLS 
forwarding and executes forwarding processing. If the packet 
arrives, the edge router 1 on the receiving side refers to the 
label (=3) for VPN identification, determines that the VPN is 
VPN A, removes the label and sends the packet only to the user 
site of VPN A. 

It should be noted that the foregoing is an example in 
which two label tables are provided. In actuality, edge routers 
are provided with tables the number of which is equivalent to 
the number of source VPN-IDs and each table holds VPN 
identification labels and MPLS forwarding labels mapped to 
combinations of transmission source VPN-IDs and destination IP 
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addresses . 
[0020] 

Fig. 27 is a diagram useful in describing MPLS /VPNs 
according to the prior art. This is an example in which an MPLS 
network is constructed by the network of a communications 
provider. Shown in Fig. 27 are an MPLS network 11 belonging 
to the provider , provider edge routers (PE routers) 12 , 13, 14 
situated at the edge of the MPLS network, core routers 15 to 
18 situated with in the MPLS network, customer systems 
(intranets) 21 to 24, and customer edge routers (CE routers) 
25 to 28 situated at the edges of the customer systems. The 
PE routers 12 to 14 are routers which support Layer-2 MPLS and 
are VPN-aware. The PE router on the transmitting side adds a 
VPN identification label (VPN-ID) and an MPLS forwarding label, 
which have been set in a table beforehand, to a packet that enters 
from the CE router. Upon receiving this packet, the PE router 
on the receiving side sends the packet to the customer system 
that corresponds to the VPN identification label (VPN-ID) . In 
the example of Fig. 27, the VPN A is formed by the customer 
systems 21, 22 and the VPN B is formed by the customer systems 
23, 24. Accordingly, the terminal devices of each customer 
system in VPN A can access only the terminal devices in VPN A 
and cannot access the terminal devices in VPN B'. Similarly, 
the terminal devices in VPN B can access only the terminal 
devices in VPN B. 

Thus, if the same VPN-ID is assigned only to the same 
enterprise group, it is possible to construct an IP-VPN in which 
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this group will not be accessed from another enterprise group 
and cannot transmit data to another enterprise group. Hence, 
the IP-VPN is closed within the same enterprise group. 
[0021] 

[PROBLEM TO BE SOLVED BY THE INVENTION] 

The VLAN-based method of constructing a VPN is 
advantageous in that a VPN can be constructed easily and with 
little investment in equipment by assigning a unique VID to each 
customer on the network. However, the VID field is a maximum 
of 12 bits, meaning that only 4096 VIDs can be set if this is 
expressed as a decimal number. As a consequence, if users 
requesting VIDs in excess of 4096 appear, the system will no 
longer be able to cope, it will not be possible to meet the demand 
for networks of larger scale and scalability will be inadequate. 

With the MPLS-based method of constructing a VPN, on the 
other hand, the label area expressing the VPN identifier is 
composed of 2 0 bits. This is advantageous in that as compared 
with VLAN-based construction, many more VPNs can be set up, it 
will be possible to cope with the growth of the Internet and 
greater scalability can be provided. However, with the 
MPLS-based method of constructing a VPN, a costly MPLS-capable 
router must be installed close to the user and it is necessary 
that one port of an edge router be prepared for the user. The 
problem which arises is a very large investment for equipment. 
[0022] 

Accordingly, an object of the present invention is to 
provide an inexpensive, highly scalable VPN in a network by 
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constructing access networks using VLAN-compatible switchs, 
and constructing a core network using MPLS-compatible routers. 

Another object of the present invention is to provide 
an inexpensive, highly scalable VPN by providing interfaces 
between VLANs and an MPLS network to make it possible for the 
VLANs and MPLS network to coexist, and arranging it so that a 
transition can be made from a VLAN to the MPLS network with ease. 

Yet another object of the present invention is to provide 
an inexpensive, highly scalable VPN by using VLAN-compatible 
switchs in the access system of each area and constructing an 
MPLS-based VPN on a WAN between areas. 

A further object of the present invention is to provide 
an environment in which a user is capable of utilizing protocols 
other than IP, namely protocols such as IPX, FNA and AppleTalk, 
when a VPN is constructed. 
[0023] 

[MEANS FOR SOLVING THE PROBLEM] 

In accordance with a first aspect of the present invention, 
the foregoing objects are attained by providing a network for 
forming a VPN on a shared network and communicating via the VPN, 
characterized by forming a core network of the VPN by a label 
switching network, forming an access network, which is for 
accessing the core network, by a VLAN, and providing an edge 
of the label switching network with an interface device which 
implements an interface function for interfacing the label 
switching network and the VLAN. 

The interface device in this network can be constructed 
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by an edge router provided on an edge of an MPLS network. An 
edge router on a transmitting side converts a packet, which is 
sent from the VLAN, to an MPLS packet and transmits the packet 
to the MPLS network, which is the label switching network. An 
edge router on the receiving side converts the MPLS packet, 
which has been received from the MPLS network, to a VLAN packet 
and transmits the VLAN packet in the direction of a VLAN that 
belongs to the same VPN as that of a VLAN on the transmitting 
side . 
[0024] 

More specifically, each edge router has a table for 
storing correspondence between VLAN identifiers (VIDs) 
contained in VLAN packets and VPN identifiers (VPN labels) 
contained in MPLS packets, the edge router on the transmitting 
side finds a VPN label that corresponds to the VID of a VLAN 
packet, generates an MPLS packet having this VPN label and sends 
this MPLS packet to the MPLS network, and the edge router on 
the receiving side finds a VID that corresponds to a VPN label 
contained in an MPLS packet received from the MPLS network, 
generates a VLAN packet having this VID and sends this VLAN 
packet to the VLAN indicated by the VID. Further, the edge 
router has a route decision unit for deciding a route along which 
an MPLS packet is sent in the direction of the edge router on 
the receiving side, and a label table for storing a forwarding 
label, which specifies the path decided by the route decision 
unit, mapped to an address of the edge router on the receiving 
side, wherein the edge router on the transmitting side finds 
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a receive edge router corresponding to a destination MAC address 
of a packet, finds a forwarding label that corresponds to the 
receive edge router from this label table, generates an MPLS 
packet that contains the VPN label and the forwarding label and 
sends this MPLS packet to the MPLS network. 
[0025] 

In accordance with a second aspect of the present 
invention, the foregoing objects are attained by providing an 
edge router in a network for forming a VPN on a shared network, 
forming a core network of the VPN by an MPLS network and forming 
an access network, which is for accessing the core network, by 
a VLAN, wherein a transmit-side edge router comprises: (1) 
means for storing a corresponding relationship between VLAN 
identifiers (VIDs) and VPN labels, which are VPN identifiers; 
and (2) an MPLS packet generating unit for finding a VPN label 
corresponding to a VID, which is contained in a packet sent from 
the VLAN, using the corresponding relationship, generating an 
MPLS packet that includes this VPN label and sending this MPLS 
packet to the MPLS network. The transmit-side edge router 
further comprises: (3) a route decision unit for deciding a 
route along which an MPLS packet is sent in the direction of 
a receive-side edge router; and (4) a forwarding label storage 
unit for storing a forwarding label, which specifies the route 
decided by the route decision unit, mapped to the receive-side 
edge router; wherein the MPLS packet generating unit finds a 
receive-side edge router corresponding to a destination MAC 
address of a packet, finds a forwarding label that corresponds 
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to the receive-side edge router from the forwarding label 
storage unit, and generates an MPLS packet that contains the 
VPN label and the forwarding label. 
[0026] 

Further, in accordance with a third aspect of the present 
invention, the foregoing objects are attained by providing an 
edge router in a network for forming a VPN on a shared network, 
forming a core network of the VPN by an MPLS network and forming 
an access network, which is for accessing the core network, by 
a VLAN, wherein a receive-side edge router comprises: (1) a 
table for storing correspondence between VLAN identifiers 
(VIDs) and VPN labels, which are VPN identifiers; and (2) a VLAN 
packet generating unit for finding a VID corresponding to a VPN 
label, which is contained in a packet that enters from the MPLS 
network, using the table, generating a VLAN packet that includes 
this VID, and sending this VLAN packet to the MPLS network. 
[0027] 

Further, in accordance with a fourth aspect of the present 
invention, the foregoing objects are attained by providing an 
edge router in a network for forming a VPN on a shared network, 
forming a core network of the VPN by an MPLS network and forming 
an access network, which is for accessing the core network, by 
a VLAN, the edge router comprising: (1) a table for storing 
correspondence between VLAN identifiers (VIDs) and VPN labels, 
which are VPN identifiers; (2) an MPLS packet generating unit 
for finding a VPN label corresponding to a VID, which is 
contained in a packet that enters from the VLAN, using the table, 
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generating an MPLS packet that includes this VPN label and 
sending this MPLS packet to the MPLS network; and (3) a VLAN 
packet generating unit for finding a VID corresponding to a VPN 
label, which is contained in a packet that enters from the MPLS 
network, using the table, generating a VLAN packet that includes 
this VID, and sending this VLAN packet to the MPLS network, 
[0028] 

[DESCRIPTION OF THE EMBODIMENT] 

(A) Overview of the present invention 
Fig. 1 is a schematic view showing a mixed network 
composed of VLANs and an MPLS network according to the present 
invention. Here VLANs 101 to 104 of sites A to D, respectively, 
are managed by prescribed VIDs (VLAN IDs). A shared network 
(MPLS network) 110, which is managed by labels, has been 
constructed on the Internet (a WAN) by MPLS. The edges of the 
MPLS network are provided with edge routers 111 to 114. A 
transmit-side edge routers 111 to 114 convert VLAN packets (see 
Fig. 20), which enter from the VLANs 101 to 104, to MPLS packets 

[see (A) in Fig. 25] and transmits the MPLS packets, and a 
receive-side edge router converts MPLS packets to VLAN packets 
and outputs the VLAN packets to prescribed VLANs. 

[0029] 

More specifically, the transmit-side edge router 
converts a VID contained in a VLAN packet to a VPN label, which 
is a VPN identifier, finds a forwarding label for forwarding 
the packet along a prescribed route on the basis of the 
destination of the VLAN packet, imposes these labels in place 
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of the VIN to generate an MPLS packet, and sends the MPLS packet 
to the MPLS network 110. The latter routes the MPLS packet to 
the target receive-side edge router over a preset route while 
the forwarding label of the packet is replaced. Upon receiving 
the MPLS packet from the MPLS network, a receive-side edge 
router removes the forwarding label, converts the VPN label to 
the original VID, adds this VID to the packet in place of the 
label to generate a VLAN packet and sends the VLAN packet to 
the VLAN indicated by the VID. As a result of this operation, 
a packet can be transmitted from a transmit-side VLAN belonging 
to a certain VPN to a receive-side VLAN belong to the same VPN. 
[0030] 

Fig. 2 is a diagram schematically showing the structure 
of the edge router 111. The other edge routers are identically 
constructed. The edge router 111 has a line card 121 equipped 
with an Ethernet interface function for receiving a VLAN packet 
from a certain VLAN. A VPN identification unit 12 2 identifies 
a VPN by referring to the VID of the received VLAN packet and 
inputs the packet to a tag/label converter (subrouter) 123i (i 

= l, 2, ) that corresponds to this VPN. The subrouter 123i 

corresponding to the identified VPN has a table 124 which, as 
shown in Fig. 4, already stores the correspondence between (1) 
VLAN IDs (VIDs) and (2) VPN identifiers (VPN labels) that 
specify VPNs to which the VLANs specified by the VIDs belong. 
The edge router 111 further includes a route decision unit 131 
for deciding beforehand a route to a receive-side edge router 
using a routing protocol 132 and stores a forwarding label (a 
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push label), which specifies the decided route, in an MPLS 
network routing table ( f orwarding-label memory) 133 in 
correspondence with the IP address of the receive-side edge 
router . 
[0031] 

When a packet enters, the subrouter 123i refers to table 
124 to find the VPN identifier (VPN label) corresponding to the 
VID contained in the tag. The subrouter 12 3i further finds the 
receive-side edge router based upon the destination address 
contained in the packet and finds the forwarding label, which 
has been stored in correspondence with the IP address of this 
edge router, from the MPLS network routing table 133. 

If the label is found, the subrouter 123i inserts (swaps) 
the VPN label and the forwarding label in place of the tag of 
the packet and sends the MPLS packet to the MPLS network 110 
via a line card 128. The MPLS network 110 thenceforth routes 
the MPLS packet to the target receive-side edge router over the 
preset route while replacing the forwarding label. The line 
card 128 of the receive-side edge router receives an MPLS packet 
from the MPLS network 110, and a VPN identification unit 129 
identifies the VPN by referring to the VPN label of the MPLS 
packet and inputs the packet to the subrouter 123i(i=l,2, ...) 
that corresponds to the VPN. 
[0032] 

The subrouter 123i removes the forwarding label and then 
refers to the table 124 to find the VID that corresponds to the 
VPN label. The subrouter 123i then generates a VLAN packet by 
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adding a tag, which includes the VID found, in place of the VPN 
label and sends this VLAN packet to the VLAN, which is indicated 
by the VID, via the line card 121 on the side of the VLAN. It 
should be noted that the content of table 124 is not the same 
in each of the edge routers 111 to 114 and that the VID values 
of VLANs that belong to the same VPN are not necessarily the 
same. Further, though not shown clearly in Fig. 2, a subrouter 
exists for every VPN, as illustrated in Fig. 5. 

Thus, when communication is initiated from the VLAN 101 
of site A to the VLAN 103 of site D in Fig. 1, the tag and label 
are swapped by the edge routers 111, 114 in the manner shown 
in Fig. 3. As a result, a VLAN packet that enters from the 
transmit-side VLAN is changed to an MPLS packet by the edge 
router 111, the MPLS packet is transmitted through the MPLS 
network 110 and is converted to a VLAN packet by the edge router 
113 , and this VLAN packet is then transmitted to a VLAN belonging 
to a VPN identical with that on the transmit side. 
[0033] 

(B) Topology of MPLS-based enterprise networks 
Fig. 6 is a diagram useful in describing the topology 
of enterprise networks that rely upon an MPLS network. As shown 
in Fig. 6, an MPLS network 200 has been formed on the Internet 
serving as a shared network. Numerals 201, 202 and 203 denote 
VLAN domains for Tokyo, Nagoya and Osaka, respectively. The 
Internet is indicated at 2 04 and a firewall (FW) is shown at 
205. A plurality of enterprise VLANs have been set up at each 
of the VLAN domains. Provided between the MPLS network 200 and 
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the VLAN domains 201 to 2 03 at the edge of the MPLS network are 
provider edge routers (PEs) 211 to 213 , respectively, which 
terminate the respective VLANs . 
[0034] 

A VLAN (VID = 101) of an Enterprise A and a VLAN (VID = 
2 ) of an Enterprise B in the Tokyo area have been formed in the 
VLAN domain 2 01 for Tokyo. A CPE router (Customer Pre-equipment 
Edge router) 212 constituting part of the VLAN (VID = 101) of 
Enterprise A is connected by Ethernet to a first port of the 
edge router PE 211 via a Level-2 switch (switching hub) 213. 
A CPE router 214 constituting part of the VLAN (VID = 2 ) of 
Enterprise B is connected by Ethernet to a Level-2 switch 
(switching hub) 215. The switching hub 215 is connected to a 
second port of PE 211. 

A VLAN (VID = 152) of the Enterprise A and an intranet 
of an Enterprise C in the Nagoya area have been formed in the 
VLAN domain 2 02 for Nagoya. A CPE router 221 constituting part 
of the VLAN (VID = 152) of Enterprise A is connected by Ethernet 
to a first port of the edge router PE 212 via a Level-2 switch 
(switching hub) 222. A CPE router 224 constituting part of the 
intranet of Enterprise C is connected to the second port of PE 
212. 

A VLAN (VID = 1501) of the Enterprise A and an intranet 
of the Enterprise C in the Osaka area have been formed in the 
VLAN domain 203 for Osaka. A CPE router 231 constituting part 
of the VLAN (VID = 1501 ) of Enterprise A is connected by Ethernet 
to a first port of the edge router PE 213 via a Level-2 switch 
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(switching hub) 2 32. A CPE router 234 constituting part of the 
intranet of Enterprise C is connected to the second port of PE 
213. 
[0035] 

The VLAN (VID = 101 ), VLAN (VID = 152) and VLAN (VID = 
1501 ) of Enterprise A in the respective areas construct the same 
VPN. If the side of the MPLS network is viewed from the side 
of Enterprise A, therefore , it appears as though the CPE routers 
212, 221, 231 have been connected to a Layer-2 switching hub 
SHB, as illustrated in Fig. 7(A) , and the network of Enterprise 
A takes on an L2 (VLAN) -over-MPLS network topology in which a 
core network is constructed by the MPLS network and an access 
network is constructed by the VLANs. If the side of the MPLS 
network is viewed from the side of Enterprise B, it appears as 
though the CPE router 214 and firewall 205 have been connected 
to a Layer-2/ 3 switching hub SHB f , as illustrated in Fig. 7(B), 
and the network of Enterprise B takes on the form of an Internet 
connection. If the side of the MPLS network is viewed from the 
side of Enterprise C, it appears as though the CPE routers 224, 
2 34 of the intranets 223, 2 33, respectively, have been connected 
to a router RT, as illustrated in Fig. 7(C), and the network 
of Enterprise C takes on the form of an MPLS /VPNs network 
topology in which the VPN is constructed by the MPLS network. 
[0036] 

(C) L2 (VLAN) -over-MPLS network 

Fig. 8 is an overall view of an L2 (VLAN) -over -MPLS 
network according to the present invention. Here components 
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related to Enterprise A have been extracted from Fig. 6, and 
those components that are identical to those of Fig. 6 are 
designated by like reference characters. MAC addresses MAC A, 
MAC B and MAC C, which are Layer-2 addresses, have been assigned 
to the' routers CPE A 214, 221 and 231 , respectively, that 
construct the VLANs . 
[0037] 

(D) Edge router structure 

The edge routers PE A to PE C are identically constructed. 
Fig. 9, which illustrates the structure of an edge router, shows 
the details of the edge router depicted in Fig. 2. Components 
in Fig. 9 that are identical to those of Fig. 2 are designated 
by like reference characters. 

The line card 121, which has an Ethernet interface 
function, receives a VLAN packet from a prescribed VLAN. The 
VPN identification unit 122 identifies the VPN by referring to 
the VID of the received VLAN packet and inputs the packet to 
the subrouter 123i that corresponds to this VPN. As shown in 
Fig. 10, the Layer-2 label table 124 of the subrouter 123i 
already stores the correspondence among (1) VPN labels (VPN 
identifiers), (2) Layer-2 addresses (MAC addresses) of CPE 
routers under control, (3) output-side interfaces, (4) 
identifiers (VIDs) of VLANs connected to the edge routers, and 
(5) VPNi (VPN instance: a convenient name for a VPN 
identifier) . 
[0038] 

For every VLAN constructing the VPN, an L2 VPN routing 
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table 125 stores (1) a Layer-2 address (MAC address) of the CPE 
router within the VLAN, (2) a loopback address (IP address) of 
the edge router to which the CPE router is connected , and (3) 
an identifier (VID) of the VLAN to which the CPE router belongs, 
as shown in Fig. 10. In the example of Fig. 8, (1) MAC addresses 
MAC A, MAC B, MAC C of CPE routers 214, 221, 231, respectively, 
(2) loopback addresses (IP addresses) of edge routers (PE A, 
PE B , PE C) 211, 212,213 to which the CPE routers are connected, 
and (3) VIDs (= 101, 152, 1501) to which the CPE routers belong 
are stored in the table 125 in correspondence with the VLAN (VID 
= 101), VLAN (VID = 152) and VLAN (VID = 1501), respectively, 
as shown in Fig. 10. 
[0039] 

The MPLS network routing table ( f orwarding-label memory) 
133 stores forwarding labels which specify the route to the 
receive edge router. Using a routing protocol, the route 
decision unit for deciding the route within the MPLS network 
searches for routes from the transmit-side edge router to the 
receive-side edge router and assigns a label to each route in 
accordance with the LDP (Label Distribution Protocol) in such 
a manner that the VLANs belonging to the same VPN can communicate 
with one another. Accordingly, the route decision unit 131 
decides the route to the receive-side edge router using the 
routing protocol 132 and stores the forwarding label (push 
label), which specifies the route decided, in the forwarding 
label table 133 in a form mapped to the loopback address (IP 
address) of the receive-side edge router. 
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[0040] 

If a VLAN packet (see Fig. 20) enters as an input , a VPN 
label processor 12 6 finds the VPN identifier (VPN label) , which 
corresponds to the VID contained in the tag, from the VPN label 
table 124. Further, on the basis of the destination MAC address 
contained in the VLAN packet, a routing table processor 127 
obtains the loopback address of the output-side edge router from 
the L2 VPN routing table 125 and then finds the forwarding label 
(push label ) , which corresponds to the above-mentioned loopback 
address (IP address), from the forwarding label table 133. If 
the VPN label and push label have been found, the subrouter 123i 
swaps the VPN label and forwarding label for the tag to generate 
an MPLS packet, as shown in Fig. 3, and sends this MPLS packet 
to the MPLS network via the line card 128. 
[0041] 

The MPLS packet arrives at the target receive-side edge 
router along the preset route through the MPLS network while 
its forwarding label is replaced. The line card 128 of the 
receive-side edge router receives the MPLS packet from the MPLS 
network 110, and the VPN identification unit 12 9 identifies the 
VPN by referring to the VPN label of this MPLS packet and inputs 

the packet to the subrouter 123i (i = 1, 2, ) corresponding 

to this VPN. The subrouter 12 3i removes the forwarding label 
and refers to the VPN label table 124 to find the VID 
corresponding to the VPN label. The subrouter 123i then swaps 
a tag, which contains the VID, for the VPN label to thereby 
generate a VLAN packet and sends this VLAN packet via the line 
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card 121 to the VLAN indicated by the VID. It should be noted 
that the VPN label tables 124 in the edge routers 221 to 213 
(Fig- 8) are not identical in content and that the VID values 
of VLANs that belong to the same VPN are not necessarily the 
same. Further , though not shown clearly in Fig. 9, the 
subrouter 12 3i (i = 1, 2, ...) and the forwarding label table 
133 exist for every VPN. 
[0042] 

(E) Generation of VPN tables 

In order to arrange it so that VLANs belonging to a VPN 
can communicate with each other , it is necessary (1) to 
establish beforehand a route between the edge routers to which 
these VLANs are connected and store the forwarding label in the 
forwarding label table 133 (Fig. 9) of the router along the route, 
and (2) to create the VPN label table 124 and the L2 VPN routing 
table 125. A method of creating the forwarding label table 13 3 
is well known and need not be described. 

In order to create the VPN label table 124 and L2 VPN 
routing table 125, it is necessary for the operator to manually 
enter the VPN identifier (VPN label) , the VLAN identifier (VID) 
and the VPNi, as illustrated in Fig. 10(A). If these items of 
data are input to the edge router, the VPN label processor 126 
of the edge router uses the ARP (Address Resolution Protocol) 
to find the MAC address of the CPE router of the VLAN connected 
to this processor, finds the interface of the route over which 
the MPLS packet with the appended push label is sent, sets this 
as shown in Fig. 10(B) and creates the VPN label table 124. 
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[0043] 

Next, the routing table processor 127 finds the MAC 
address of the locally connected CPE router and the VLAN 
identifier (VID) from the VPN label table 124 and creates 
direct-connect information of the L2 VPN routing table 125 [see 
Fig. 10(B) ] . The edge routers (PE A, PE B, PE C) 211, 212, 213 
connected to the VLANs (VIDs = 101, 152, 1501) that construct 
the VPN thenceforth each send the other edge routers the MAC 
address of the locally connected user router CPE, the loopback 
address (IP address) of the locally connected edge router and 
the VID by using the iBGP (interior Border Gateway Protocol) . 
As a result, each edge router completes the fabrication of the 
L2 VPN routing table 125 [see Fig. 10(B)] based upon the received 
information. Thus, L2 VPN routing tables 125 shown in Figs. 
11(A) to 11(C) are created in the edge routers 211, 212, 213, 
respectively, with regard to the VPN of Enterprise A in Fig. 
8. 

[0044] 

(F) Example of communication from CPE A to CPE C 
Fig. 12 illustrates an example of transmission in which 
a packet is transmitted from the user router CPE A belonging 
to the VLAN (VID = 101) of Enterprise A in Tokyo to the user 
router CPE C belonging to the VLAN (VID = 1501) of Enterprise 
A in Osaka. 

The user router CPE A transmits a VLAN packet PKT1 that 
has been tagged with VID = 101. When the packet PKT1 enters 
the edge router PE A 211, the latter generates an MPLS packet 
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PKT2 by removing the tag and adding, in place of the tag, a VPN 
label (= 26: the VPN identifier of Enterprise A) and a 
forwarding label 

(= push label), and sends the packet PKT2 to the MPLS network 
200. The MPLS packet PKT2 subsequently arrives at the target 
receive-side edge router PE C 213 along the preset route through 
the MPLS network while its forwarding label is replaced. The 
receive-side edge router PE C 213 creates a VLAN packet PKT3 
by removing the labels and adding a VLAN identifier (VID = 1501) 
to which the destination user router CPE C belongs and then sends 
this packet to the VLAN specified by VID = 1501. As a result, 
the VLAN packet PKT3 arrives at the user router 231. 
[0045] 

(G) L2 (VLAN) -over-MPLS transmit processing 
Figs. 13 and 14 are flowcharts L2 (VLAN) -over-MPLS 
transmit processing . 

When a packet arrives as an input, the transmit-side edge 
router checks to see whether the packet has been tagged (step 
301). Since the packet is an MPLS packet if it has not been 
tagged, the edge router executes ordinary MPLS processing. If 
the packet has been tagged, the edge router extracts the value 
of the VLAN ID (=VID) contained in this tag (step 302) and checks 
to determine whether the VID value is equal to or greater than 
4096 (step 303) . If the VID value is equal to or greater than 
4096 ("NO" at step 303), this means that the range of 0 to 4095 
of VID values has been exceeded and the edge router therefore 
discards this packet. However, if the VID value lies within 
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the range 0 to 4095 ("YES 11 at step 303), the edge router refers 
to the VLAN ID and VPN label conversion table 124 (step 304) 
and checks to see whether a VPN label value has been discovered 
(step 305). If the decision is "NO", then the edge router 
executes ordinary MPLS processing. If the decision is "YES", 
on the other hand, the edge router removes the tag and imposes 
a Layer-2 label value (VPN label) (step 306). 
[0046] 

Next , based upon the destination MAC address of the packet , 
the edge router obtains the loopback address (IP address) of 
the receive-side edge router from the L2 VPN routing table 125 
(step 307). If the loopback address has been found, the edge 
router refers to the forwarding label table 133 to find the 
forwarding label (push label) (step 308) , imposes the push label 
as Layer 1 and sends the resulting packet to the MPLS network 
(step 309) . 

The above is the processing executed by the edge router 
on the transmitting side. 

This is followed by execution of processing for routing 
the packet through the MPLS network. The MPLS packet is 
forwarded to the target receive-side edge router along the set 
route through the MPLS network while the forwarding label is 
replaced (step 310). 
[0047] 

The receive-side edge router checks to see whether the 
MPLS packet has arrived (step 311). If the MPLS packet has 
arrived, the edge router removes the forwarding label attached 
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as Layer 1 (step 312). Next, the edge router extracts the 
La yer-2 VPN label (step 313) , refers to the table 124 indicating 
the correspondence between the VLAN ID (= VID) and VPN label 
( step 314) and checks to see whether the VID has been found ( step 
315). If the VID has not been found, the edge router discards 
the packet. If the VID has been found, however, the edge router 
removes the Layer-2 label and adds a tag that contains the VID 
to create a VLAN packet ( step 316). Next , the edge router refers 
to the VPN label table 124 to find the output interface and sends 
the VLAN packet to this interface (step 317) . The destination 
user router CPE C receives the VLAN packet and executes 
predetermined processing (step 318). 
[0048] 

(H) Processing for updating VPN table 

The structure of a VPN changes from time to time by being 
enlarged or otherwise modified by the policy of the enterprise. 
This makes it necessary to update the VPN tables 124, 125 in 
conformity with the change in VPN structure. Figs. 15A and 15B 
are diagrams useful in describing updating in a case where the 
user router CPE A communicates with the user router CPE C. 

1. If the MAC address of the destination user router 
CPE C is unknown, the user router CPE A 212 broadcasts an ARP 
packet containing the IP address of the router CPE C. 

2. Upon receiving the ARP packet (broadcast packet), 
the edge router PE A 211 creates a copy of the packet and directs 
it through the other edge routers PE B 212 and PE C 213. 

3 . Upon receiving the ARP packet containing its own IP 
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address , the user router CPE C imposes its own MAC address on 
an ARP-replay packet and sends back this packet. Each edge 
router PE automatically updates the MAC address of each CPE in 
the VPN label table 124 and L2 VPN routing table 125 according 
to the ARP-reply packet. 

4, An ARP packet containing the IP address of each 
router is broadcast periodically to update each table. 
[0049] 

(I) Processing for disabling communication between VLANs 
belonging to same VPN 

The processing for creating a VPN table described with 
reference to Figs. 10 and 11 is for a case where VLANs can 
communicate with each other freely. However, there are cases 
where it is desired to prohibit the communication between 
certain VLANs even though they belong to the same VPN. In such 
cases, the communication of routing information by iBGP is 
halted between the edge routers to which the VLANs for which 
communication is disabled belong. If this arrangement is 
adopted, the MAC address of the router CPE whose communication 
is to be disabled and the loopback address (IP address) of the 
edge router to which this router CPE is connected will no longer 
be registered in the L2 VPN routing table 125. This makes 
communication impossible. 
[0050] 

Fig. 16 is a flowchart illustrating processing t for 
creating the L2 VPN routing table 125 in a case where 
communication-disabled VLANs exist. 
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In regard to a prescribed VPN, a VLAN ID (VID) and a VPN 
identifier (VPN label) are input to and set in each edge router 
PE (step 401). The pair of VLANs for which communication is 
to be disabled is then entered (step 402). 

Each edge router PE creates the VPN label table 124 
automatically (step 4 03) and then creates direct-connect 
information in the L2 VPN routing table 125 (step 404), 
[0051] 

Using iBGP, each router then transmits VPN routing 
information (the MAC address of the edge router CPE and the 
loopback address of the edge router) to edge routers PE under 
the control of VLANs whose communication is not disabled (step 
405). VPN routing information is not transmitted to edge 
routers PE under the control of VLANs whose communication is 
disabled. Each edge router PE receives routing information 
sent from the other edge routers and creates the L2 VPN routing 
table 125 using this routing information (step 406) . Thus, the 
MAC address of a router CPE whose communication is to be disabled 
and the address of the edge router to which this router CPE is 
connected will not be registered in the L2 VPN routing table 
125 of the edge router PE. As a result, a forwarding label 
cannot be acquired and communication with the VLAN whose 
communication is to be disabled can no longer be carried out. 
[0052] 

(J) VLAN user priority and IP precedence in MPLS 
As shown in Fig. 17(A) , the tag of a VLAN packet includes 
3 -bit user priority and it is arranged so that the priority value 
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stipulated by each MAC is entered using these three bits. A 
priority value can take on eight levels of 0 to 7 • User priority 
is low if the value is small (e.g., 0) and high if the value 
is large. 

The label of an MPLS packet, on the other hand, includes 
a 3-bit experimental field EXP, as shown in Fig. 18(B). IP 
precedence is expressed using these three bits. IP precedence 
also is a priority value that can take on eight levels of 0 to 
7. Priority is low if the value is small (e.g., 0) and high 
if the value is large. Accordingly, when a conversion is made 
from a VLAN packet to an MPLS packet in an edge router, the 3 -bit 
user priority is inserted into the EXP field. When a conversion 
is made from an MPLS packet to a VLAN packet, the IP precedence 
of the 3-bit EXP field is inserted into the user-priority field. 
If this expedient is adopted, priority control in a VLAN can 
be continued as IP precedence control in an MPLS network. 
Further, it is possible to return from IP precedence control 
to the original priority control in a VLAN. 
[0053] 
ADDITION 
(ADDITION 1) 

A network for forming a VPN on a shared network and 
communicating via the VPN, comprising: 

a core network of the VPN formed by a label switching 
network; 

access networks formed by VLANs to access said core 
network; and 
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interface devices provided at edges of the label 
switching network for interfacing said label switching network 
and the VLANs. 
[0054] 

(ADDITION 2) 

The network according to ADDITION 1, wherein said 
interface devices are edge routers provided at edges of an MPLS 
network serving as said label switching network, said edge 
routers including : 

a transmit-side edge router for converting a packet, 
which is sent from a VLAN, to an MPLS packet and transmitting 
the packet to the MPLS network; and 

a receive-side edge router for converting the MPLS packet, 
which has been received from the MPLS network, to a VLAN packet 
and directing the VLAN packet to a VLAN that belongs to the same 
VPN as that of a VLAN on the transmit side. 
[0055] 

(ADDITION 3) 

The network according to ADDITION 2 , wherein each of said 
edge routers has a first table storing correspondence between 
VLAN identifiers ( VIDs ) contained in VLAN packets and VPN labels 
contained in MPLS packets; 

said transmit-side edge router finds a VPN label, which 
corresponds to a VLAN identifier (VID) of a VLAN packet, from 
said first table, generates an MPLS packet having this VPN label 
and sends this MPLS packet to the MPLS network; and 

said receive-side edge router finds a VID, which 



42 



corresponds to a VPN label contained in an MPLS packet received 
from the MPLS network, from said first table, generates a VLAN 
packet having this VID and sends this VLAN packet to a VLAN 
indicated by this VID. 
[0056] 

(ADDITION 4) 

The network according to ADDITION 3 , wherein each of said 
edge routers includes: 

a route decision unit for deciding a route which directs 
an MPLS packet to a receive-side edge router; and 

a second table for storing forwarding labels, which 
specify routes decided by said route decision unit, mapped to 
addresses of receive-side edge routers; 

said transmit-side edge router finds a receive-side edge 
router corresponding to a Mac destination address of a packet, 
finds a forwarding label, which corresponds to the receive- 
side edge router, from said second table, generates an MPLS 
packet that contains the VPN label and the forwarding label and 
sends this MPLS packet to the MPLS network. 
[0057] 

(ADDITION 5) 

The network according to ADDITION 4, wherein an edge 
router which constructs the VPN and is connected to a VLAN sends 
another edge router an address set composed of an address of 
a VLAN-compatible device connected to the first-mentioned edge 
router and the address of this edge router, and each edge router 
creates Layer 2 routing table based upon the received 
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information; and 

said transmit-side edge router finds a receive-side edge 
router, which corresponds to the destination of the packet, from 
said Layer 2 routing table. 
[0058] 

(ADDITION 6) 

The network according to ADDITION 5, wherein an edge 
router transmits no address information to an edge router to 
which is connected a VLAN that has been prohibited from 
communicating . 
(ADDITION 7) 

The network according to ADDITION 2, wherein said 
transmit-side edge router discards a VLAN packet having a VID 
value that is greater than a set value. 
(ADDITION 8) 

The network according to ADDITION 2 , wherein said 
transmit-side edge router inserts user priority information, 
which is contained in a tag of a VLAN packet, into a label of 
an MPLS packet as IP precedence information of the MPLS network, 
and said receive-side edge router inserts IP precedence 
information, which is contained in the label of an MPLS packet, 
into the tag of a VLAN packet as user priority information of 
the VPLAN. 
[0059] 

(ADDITION 9) 

An edge router in a network for forming a VPN on a shared 
network, forming a core network of the VPN by an MPLS network 
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and forming an access network, which is for accessing the core 
network, by a VLAN, wherein a transmit-side edge router 
comprises : 

means for storing a corresponding relationship between 
VLAN identifiers (VIDs) and VPN labels serving as VPN 
identifiers; and 

an MPLS packet generating unit for finding a VPN label 
corresponding to a VID, which is contained in a packet sent from 
the VLAN, using the corresponding relationship, generating an 
MPLS packet that includes this VPN label and sending this MPLS 
packet to the MPLS network. 
[0060] 

(ADDITION 10) 

The edge router according to ADDITION 9, further 
comprising: 

a route decision unit for deciding a route which directs 
an MPLS packet to a receiver-side edge router; and 

a forwarding label storage unit for storing forwarding 
labels , which specify routes decided by said route decision unit , 
mapped to addresses of receive-side edge routers; 

wherein said MPLS packet generating unit finds a 
receive-side edge router corresponding to a Mac destination 
address of a packet, finds a forwarding label, which corresponds 
to the receive-side edge router, from said forwarding label 
storage unit, and generates an MPLS packet that contains the 
VPN label and the forwarding label. 
[0061] 
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(ADDITION 11) 

The edge router according to ADDITION 10 , wherein said 
MPLS packet generating unit receives from edge routers which 
are connected to other VLANs constituting said VPN, information 
comprising a combination of addresses of these edge routers and 
addresses of VLAN-compatible devices connected to these edge 
routers, creates Layer 2 routing table based upon said received 
information and finds said receive-side edge router, which 
corresponds to the destination of the packet, from said Layer 
2 routing table • 
[0062] 

(ADDITION 12) 

An edge router in a network for forming a VPN on a shared 
network, forming a core network of the VPN by an MPLS network 
and forming an access network, which is for accessing the core 
network, by a VLAN, wherein a receive-side edge router 
comprises : 

a table for storing correspondence between VLAN 
identifiers (VIDs) and VPN labels serving as VPN identifiers; 
and 

a VLAN packet generating unit for finding a VID 
corresponding to a VPN label, which is contained in a packet 
that enters from the MPLS network, using said table, generating 
a VLAN packet that includes this VID, and sending this MPLS 
packet to a VLAN. 
[0063] 

(ADDITION 13) 
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An edge router in a network for forming a VPN on a shared 
network, forming a core network of the VPN by an MPLS network 
and forming an access network, which is for accessing the core 
network, by a VLAN, comprising: 

a table for storing correspondence between VLAN 
identifiers (VIDs) and VPN labels serving as VPN identifiers; 

an MPLS packet generating unit for finding a VPN label 
corresponding to a VID, which is contained in a packet that 
enters from the VLAN, using said table, generating an MPLS 
packet that includes this VPN label and sending this MPLS packet 
to the MPLS network; and 

a VLAN packet generating unit for finding a VID 
corresponding to a VPN label, which is contained in a packet 
that enters from the MPLS network, using said table, generating 
a VLAN packet that includes this VID, and sending this VLAN 
packet to a VLAN. 
[0064] 

(ADDITION 14) 

The edge router according to ADDITION 13, further 
comprising: 

a route decision unit for deciding a route which directs 
an MPLS packet to a receiver-side edge router; and 

a forwarding label storage unit for storing forwarding 
labels, which specify routes decided by said route decision unit , 
mapped to addresses of receive-side edge routers; 

wherein said MPLS packet generating unit finds a 
receive-side edge router corresponding to a destination of a 
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packet, finds a forwarding label, which corresponds to the 
receive-side edge router, from said forwarding label storage 
unit, and generates an MPLS packet that contains the VPN label 
and the forwarding label. 
[0065] 

(ADDITION 15) 

The network according to ADDITION 14, wherein said MPLS 
packet generating unit receives from edge routers which are 
connected to other VLANs constituting said VPN, information 
comprising a combination of addresses of these edge routers and 
addresses of VLAN-compatible devices connected to these edge 
routers, creates a routing table based upon said received 
information and finds said receive-side edge router, which 
corresponds to the destination of the packet, from said routing 
table. 
[0066] 

[ADVANTAGES OF THE INVENTION] 

Thus, in accordance with the present invention, the VPN 
identifier (VPN label) of an MPLS network can be expressed by 
20 bits and the MPLS network is used in the core part of a carrier 
network. This makes it possible to set up many more VPNs in 
comparison with the VLAN-based construction method, thereby 
solving the problem of the upper limit (4096) on the number of 
VLAN-based VPNs. In addition, a highly scalable VPN can be 
provided . 

Further, in accordance with the present invention, an 
access network is constructed by a VLAN-capable switching hub 
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and a core network is constructed by MPLS-capable routers, 
thereby making it possible to construct an inexpensive VPN (a 
network having an L2 (VLAN) -over-MPLS configuration) . That is , 
according to the present invention, rather than placing a costly 
MPLS-capable router in a particular area, a VLAN-capable 
switching hub is used for accessing on a per-area basis and an 
MPLS-based VPN is constructed on a WAN between areas, thereby 
enabling the provision of a low-cost, highly scalable 
(expandable) VPN. 
[0067] 

Further, in accordance with the present invention, an 
interface (edge router) is provided between a VLAN and an MPLS 
network. This enables the coexistence of VLANs and an MPLS 
network and facilitates movement from a VLAN to an MPLS network. 
In addition, it is possible to provide a low-cost, highly 
scalable VPN. 

Further, in accordance with the present invention, it 
is possible to provide networking methods, techniques and 
products based upon integration of VLANs and MPLS. This 
facilitates the transition from an existing network 
incorporating a VLAN to an L2 (VLAN) -over-MPLS network. 
[BRIEF DESCRIPTION OF THE DRAWINGS] 

Fig. 1 is a schematic view of mixed VLAN and MPLS networks 
according to the present invention; 

Fig. 2 is a diagram schematically showing the structure 
of an edge router; 

Fig. 3 is a diagram useful in describing swapping of VLAN 
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and MPLS packets; 

Fig, 4 shows a table for converting VIDs to VPN labels; 

Fig. 5 is another diagram showing the structure of the 
edge router; 

Fig. 6 is a diagram useful in describing the topology 
of enterprise networks which utilize MPLS; 

Figs. 7(A) to 7(C) are diagrams useful in describing 
enterprise networks; 

Fig. 8 is a diagram showing an L2 -over-MPLS network; 

Fig. 9 is a diagram showing the internal structure of 
a PE router (edge router); 

Figs. 10(A), 10(B) are diagrams useful in describing the 
generation of a VPN table; 

Figs. 11(a) to 11(c) are diagrams useful in describing 
an enterprise VPN table in each edge router; 

Fig. 12 is a diagram useful in describing transmission 
from a CPE A to a CPE C; 

Fig. 13 is part 1 of a flowchart illustrating L2 
(VLAN) -over-MPLS transmit processing; 

Fig. 14 is part 2 of a flowchart illustrating L2 
(VLAN) -over-MPLS transmit processing; 

Figs. 15 are diagrams useful in describing learning in 
case of a transmission from a CPE A to a CPE C; 

Fig. 16 is a flowchart of processing for creating a 
Level-2 VPN table in a case where a communication-disabled VLAN 
exists ; 

Figs. 17(A), 17(B) are diagrams useful in describing the 
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correspondence between user priority in a VLAN and IP precedence 
in MPLS; 

Fig. 18 is a diagram showing an example of the structure 
of a port-based VLAN according to the prior art; 

Fig. 19 is a diagram showing an example of an arrangement 
of VLANs in which ports belonging to a plurality of switching 
hubs have been grouped according to the prior art; 

Fig. 2 0 shows the format of a MAC frame in a VLAN according 
to the prior art; 

Fig. 21 illustrates an example of VLAN implementation 
according to the prior art; 

Fig. 22 is a diagram useful in describing MPLS according 
to the prior art; 

Fig. 23 is a diagram useful in describing the manner in 
which a label path is set up according to the prior art; 

Fig. 24 is a diagram useful in describing the structure 
of a shim header and the position at which the shim header is 
inserted according to the prior art; 

Fig. 25 is a diagram useful in describing the stacking 
of shim headers according to the prior art; 

Fig. 2 6 is a diagram useful in describing MPLS /VPN 
according to the prior art; and 

Fig. 2 7 is a diagram useful in describing MPLS /VPNs 
according to the prior art. 
[EXPLANATION OF SYMBOL] 
101-104 . .VLANs of sites A to D 
110.. MPLS Network 
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111-114 . .Edge Routers provided in the edges of the MPLS Network 
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j^*^ [Fig. 1] A schematic view of mixed VLAN and MPLS networks 
according to the present invention 
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A diagram schematically showing the structure of 
edge router 




[Fig. 3] a diagram useful in describing swapping of VLAN and 
MPLS packets 
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[Fig. 4] a table for converting VIDs to VPN labels 
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Fig- 6] A diagram useful in describing the topology of 
enterprise networks which utilize MPLS 
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[Fig. 8] 
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Fig. 10] Diagrams useful in describing the generation of a VPN 
table 
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[Figs. 11] Diagrams useful in describing an enterprise VPN table 
in each edge router 
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[Fig. 12] A diagram useful in describing transmission from a 
CPE A to a CPE C 
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14] Part 2 of a flowchart illustrating L2 (VLAN) 
MPLS transmit processing 
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[Fig. 15] Diagrams useful in describing learning in case of a 
transmission from a CPE A to a CPE C 
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[Fig. 16] A flowchart of processing for creating a Level-2 VPN 
table in a case where a communication-disabled VLAN 
exists 
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K< j^g« 17] Diagrams useful in describing the correspondence 
between user priority in a VLAN and IP precedence in 
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[Fig. 18] An example of the structure of a port-based VLAN 
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19] An example of an arrangement of VLANs in which ports 
belonging to a plurality of switching hubs have been 
grouped 
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[Fig. 20] A MAC frame format in a VLAN 
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[Fig. 21] An example of VLAN implementation 
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[Fig. 22] A diagram useful in describing MPLS 



CD 
Q 
LU 



o 
o 



com 
—(I— 

SO 



CM 



o 
o 
o 



*LO 



COLU 
SO 



CO 
CO 



OUT 


POP 




CO 
CO 



QL-LU 
CD CD 
Q_<C 



ca 

CO 



COLLI 
—II— 

SO 



CO 



o 
o 



COLU 
SO 



CD 
CO 



CNJ 

V 







OUT 


CO 
CO 


LABEL 
SWAPPING 




CO 








OUT 


CO 


LABEL 
SWAPPING 




CD 
CO 



CD 
Q 



colu 

SO 



V 



ft 



OUT 


CD 
CO 







CO 



LU 

CO 



o 
o 
o 



W-g. 23] A diagram useful in describing the manner in which 
a label path is set up 
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pig. 24 ] A diagram useful in describing the structure of a shim 
header and the position at which the shim header is 
inserted 
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[Fig. 25] A diagram useful in describing the stacking of shim 
headers 



co ^ 



CM 







DATA, . 


i 


TCP, 


f 
i 


clT 
















4 BYTES 
SECOND 

SHIM 
HEADER 

I lw./\L/LI \ 




/ 

4 BYTES 
FIRST SHIM 
HEADER 




BYTES 
TYPF 

i i rt- 


i 


CNI 




6 BYTES 
MAC SA 




6 BYTES 
MAC DA 






GO 



Q_ 
X 



CQ 



CO 

tz 

CQ 
GO 



V 
A 

V 

A co 

CQ 
CO 

A 



CO 

tz 

GO 

O 
CSi 



LABEL 
(SECOND 


LABEL 
, (FiRST Sh 


CvJ 








cc 




ct: 

LU 




LU 




>- 








<c 




— 1 




i 


\ 






: £ 

1 1 



CO 



CD 



CM 



X 



V V 



or 

CO LU 

or 



ct: 

LU 

>- 



QZ 
CO UJ 
— IK- 

or 



Q_ 
Q 



i 



LU 
>- 
<£ 



ft 



CO LU 

ct: 



i 
i 



ct: 

LU 

>- 



or 

COLU 
-JK 

:0 

cc: 













CNi 






LU 




ct: 










YEl 




YE 


<c 




<c 




<c 


Q_ 




i 




i 



-CM 



q: 




couj 








cur) 








a: 





[Fig. 27] A diagram useful in describing MPLS /VPNs 
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